Establishing a VPN tunnel using Cisco Easy VPN is almost exactly the same process as any VPN tunnel establishment process. However, because you can define and push security policies on the headend VPN device, you must push those parameters to the remote VPN device. In the following sections, we discuss the process of establishing a VPN tunnel using Cisco Easy VPN. IKE Phase 1 Process InitiationWith Easy VPN, the Easy VPN Remote always initiates tunnel establishment by connecting to the Easy VPN Server. There are two modes in which IKE negotiations can take place, main mode (MM) and aggressive mode (AM). The modes simply determine the number of packet exchanges required between the headend device and the remote device to get the IKE Phase 1 tunnel established.
Establishing SAsThe Easy VPN Remote device sends all its IKE security proposals (every possible combination) to the Easy VPN Server. It is the Easy VPN Server that decides which of the received security parameters to use. Acceptance of SA ProposalThe Easy VPN Server chooses which Easy VPN Remote IKE security proposal to accept based on priority levels that you have configured on the Easy VPN Server. Initiating XAUTHAfter the VPN devices agree on security proposals, and after each device performs authentication, XAUTH is initiated. The Easy VPN Server prompts the Easy VPN Remote for a username and password, and if successful, IKE Phase 1 continues. Initiating Mode ConfigurationIf XAUTH is successful, the Easy VPN Remote requests mode configuration parameters from the Easy VPN Server. The Easy VPN Server then pushes the parameters to the remote device. These parameters can be items such as DNS information and the IP address.
Initiating Reverse Route InjectionAfter the Easy VPN Server assigns an IP address to the Easy VPN Remote device, the Easy VPN Server creates a static route entry in its routing table using RRI. This step ensures that the Easy VPN Remote device is reachable by devices behind the Easy VPN Server. Connection EstablishmentAfter mode configuration is finished, the next phase of negotiations is the IKE Phase 2 tunnel. The IKE Phase 2 tunnel is synonymous with the IPSec tunnel. Whenever you think of IKE Phase 2, think IPSec tunnel. The IKE Phase 2 negotiations exchange and agree on IPSec security parameters to establish the IPSec tunnel. Once IKE Phase 2 negotiations are finished, the Easy VPN Remote has established an IPSec tunnel and can now access organization resources.
|